At least several hacking groups are using modified and more dangerous versions of malware developed by Chinese state-sponsored crew ICEFOG (aka Fucobha), which was previously considered to have been disappeared from the threat landscape. ICEFOG malware were used against mainly government organizations and defense industry of South Korea and Japan. Initially, the group’s activity was first described in a Kaspersky report in 2013 and following the exposure ICEFOG ceased its operations. But it appears that ICEFOG malware is still remains active and has become more advanced, according to FireEye senior researcher Chi-en (Ashley) Shen.

In a presentation at a CONFidence cyber-security conference in Poland this week Shen said she discovered new and upgraded variants of the ICEFOG malware. Two of them, tracked as ICEFOG-P and ICEFOG-M, have been used in targeted attacks in 2014 and 2018, respectively. Both ICEFOG versions were more complex than the original backdoor used in hacking operations back in 2010’s, suggesting that the threat actors continued to work on the capabilities of the malware. Also, Shen said that she discovered a Mac version of the ICEFOG malware, previously unseen.

According to the researcher, these ICEFOG variants were used in various hacking campaigns associated with different cybercriminal groups. “The operations between 2011 and 2013 were pretty consistent, suggesting one group and an exclusive use of the malware. The new variant was seemingly used by multiple groups after the 2013 campaign,” said Shen. This means that ICEFOG has transformed from the malware that was exclusively in the use of one cyberespionage group into the tool shared by multiple hacking units.

Shen spotted variants of the ICEFOG malware in attacks targeting:

• an unnamed agriculture company in Europe in 2015

• government, media, and finance organizations in Russia and Mongolia in 2015 (TOPNEWS campaign)

• the government of multiple former Soviet states in 2015 (Roaming Tiger)

• Kazach officials in 2016 (APPER campaign)

• water source provider, banks, and government entities in Turkey, India, Kazakhstan, Uzbekistan, and Tajikistan in 2018 (WATERFIGHT campaign)

• an unknown entity in the Philippines in 2018 (PHKIGHT campaign)

• organizations in Turkey and Kazakhstan in 2018 and 2019 (SKYLINE campaign)

In the latest campaign in 2019, tracked as SKYLINE Campaign, hackers targeted Turkey and Kazakhstan. The evidence suggests the campaign might have been active since at least 2018. Attackers leveraged CVE-2017-11882 shared exploit template and used a fileless version of the ICEFOG-M.

Indicators of compromise (IOCs) are available here.